An example that shows that _PyInstance_Lookup() does not fulfill

author Armin Rigo <arigo@tunes.org>

Fri, 3 Sep 2010 09:26:14 +0000 (09:26 +0000)

committer Armin Rigo <arigo@tunes.org>

Fri, 3 Sep 2010 09:26:14 +0000 (09:26 +0000)
author Armin Rigo <arigo@tunes.org>
Fri, 3 Sep 2010 09:26:14 +0000 (09:26 +0000)
committer Armin Rigo <arigo@tunes.org>
Fri, 3 Sep 2010 09:26:14 +0000 (09:26 +0000)
diff --git a/Lib/test/crashers/gc_has_finalizer.py b/Lib/test/crashers/gc_has_finalizer.py

new file mode 100644 (file)

index 0000000..737959b
--- /dev/null
+++ b/Lib/test/crashers/gc_has_finalizer.py
@@ -0,0 +1,36 @@
+"""
+The gc module can still invoke arbitrary Python code and crash.
+This is an attack against _PyInstance_Lookup(), which is documented
+as follows:
+
+    The point of this routine is that it never calls arbitrary Python
+    code, so is always "safe":  all it does is dict lookups.
+
+But of course dict lookups can call arbitrary Python code.
+The following code causes mutation of the object graph during
+the call to has_finalizer() in gcmodule.c, and that might
+segfault.
+"""
+
+import gc
+
+
+class A:
+    def __hash__(self):
+        return hash("__del__")
+    def __eq__(self, other):
+        del self.other
+        return False
+
+a = A()
+b = A()
+
+a.__dict__[b] = 'A'
+
+a.other = b
+b.other = a
+
+gc.collect()
+del a, b
+
+gc.collect()
author	Armin Rigo <arigo@tunes.org>
	Fri, 3 Sep 2010 09:26:14 +0000 (09:26 +0000)
committer	Armin Rigo <arigo@tunes.org>
	Fri, 3 Sep 2010 09:26:14 +0000 (09:26 +0000)